====================================================================================== TCP Start timeout / TCP Session timeout / TCP End timeout on CheckPoint firewall: Shunichi Mikame (smikame@ipv4sec.com) - 03/18/2005 ====================================================================================== There are 3 different TCP timeouts on the CheckPoint firewall to process the session, and here are the TCP packet flow we need to check. 1) TCP start timeout This is the time the firewall allows for the start of a TCP session (e.g 300 seconds). This packet exchange (TCP 3-way handshake) is REQUIRED to open a connection in the state tables. If the 4 packet exchange is not passed through the firewall in the allowed time (e.g 300 seconds), the connection will not be entered into the connections table, meaning that packets sent after this time will be dropped as 'th_flags 11 message_info TCP packet out of state'. Our firewall requires the following 4 packets to be sent within 300 seconds. Client Server ------------Syn-------------> <------ Syn/Ack-------------- ------------Ack-------------> <---Push/Ack (data)---------- 2) TCP Session timeout After the connection has successfully completed these 4 packets in 300 seconds, a second timer starts for TCP session. This timer gives up to 3600 seconds between packets before a connection is dropped from the table, however, this timeout value is depending on the service we have defined. We have increased this timeout value for telnet, ftp, SQL, etc...etc...but most of other services are set with 3600 seconds as the default. This is known as the session idle timeout. Client Server ------------Syn-------------> <------ Syn/Ack-------------- ------------Ack-------------> <------Push/Ack (data)------- ------------Ack-------------> <------Push/Ack (data)------- ------------Ack-------------> up to 3600 seconds can pass here ---Push/Ack (data)----------> <------------Ack------------- up to 3600 seconds can pass again here <---Push/Ack (data)---------- -------------Ack------------> If over 3600 seconds passes and no data is sent between the client and the server, then our firewall drops the connection from its table. Packets sent after this timer has expired will also be dropped as 'th_flags 11 message_info TCP packet out of state'. 3) Closing TCP session After the first FIN is seen by the firewall, it will wait up to 50 seconds for the full 4 packet exchange to occur: Packets sent after this timer has expired will also be dropped as 'th_flags 11 message_info TCP packet out of state', however, because FIN is the closing the session process (server or client want to close the session, so they are sending FIN), therefore even firewall drops the packet, I don't think someone will complain about this drop (but, the session can not be closed/terminated cleanly, therefore their session will be hung and the application process can not be terminated on the server and client side or it depends on the circumstances. Client Server ------------Fin-------------> <------ Fin/Ack-------------- <-----------Fin-------------- ------- Fin/Ack-------------> ======================================================================================